RE: controlling ebp/eip of a frame, does it always lead to possible code execution?

["Fisch, Matthew" <mfisch () kaz com>]

Ingram,

  I may be mistaken, but I think I remember some people on the FreeBSD dev team talking about how their sshd was not 
vulnerable to this arbitrary code execution attack (although sshd was crashable). I don't recall if there was a change 
in their openssh code, or an OS restriction.

-----Original Message-----
From: Ingram [mailto:Vail () gmx net] 
Sent: Thursday, September 18, 2003 1:45 PM
To: vuln-dev () securityfocus com
Cc: pondermate () hotmail com
Subject: Re: controlling ebp/eip of a frame, does it always lead to possible code execution?

deepcode . wrote:
> By the looks of it, you are doing everything right. Your overwritten return

> address points
> directly to your nop's. The shellcode should be executed.
>
> What OS are you on, you may have aditional stack protections on the system 
> to prevent
> standard overflows, particularly redhat 9 (shrike), which i'm using now, 
> will prevent this: not
> sure exactly how yet ...

*doh*, sorry forgot to mention the os, i am running freebsd 4.8 without any 
stack protections. 

-- 
+++ GMX - die erste Adresse für Mail, Message, More! +++

Getestet von Stiftung Warentest: GMX FreeMail (GUT), GMX ProMail (GUT)
(Heft 9/03 - 23 e-mail-Tarife: 6 gut, 12 befriedigend, 5 ausreichend)

Jetzt selbst kostenlos testen: http://www.gmx.net